Pages

Friday, October 17, 2008

Different methods of provisioning users from Oracle LDAP to E-Business Suite

Introduction

While working on the Oracle E-Business Suite login integration project with MS Active Directory through Oracle Internet Directory (OID), I have come across several ways to provision (add) new users in the E-Business Suite. Without Single Sign On, the only way to add new users is through the FND_USER_PKG or by using the Security => User => Define of Oracle E-Business 11i. Depending on the setup in OID, I have identified five different ways to add new users in 11i after integration with MS Active Directory

Uni-directional provisioning from Oracle Internet Directory to the E-Business Suite

Options

On-Demand User Creation

On-Demand User Creation allows any enterprise user who has access to the SSO login page of the E-Business Suite to get an account created automatically. The user has to enter his/her Windows username/pwd on the SSO login page. A click on the 'OK' button will create a user in the FND_USER table of the E-Business Suite with a default 'Preferences SSWA' responsibility and will let the user access Oracle immediately.

Procedure

Set the profile 'Applications SSO Auto Link User' to 'Create a new user and link to OID user'

Advantages

Account Creation in E-Business Suite is self-service and automatic.

Disadvantages

Lets any user in the enterprise to have an Oracle account. Anyone who has the login webpage address can get an account created in 11i.

ldifwrite on OID and LDAPUserImport on 11i

Procedure

Use the ldifwrite command in the OID server to create a dump file containing the user's LDAP attributes and other information.

Copy the ldif file to one of the 11i middle-tiers

Run the LDAPUserImport java command to import the user into FND_USER table.

Advantages

Control on user creation. Only genuine and approved users will be allowed to have an account in Oracle.

Diadvantages

Manual process. However, it can be automated as well.

provsubtool on OID and Workflow Subscription Event on 11i

Procedure

Run the provsubtool command in OID to add new users to an account subscription list

On the 11i side, a workflow subscription event oracle.apps.fnd.subscription.add will be triggered at an appropriate time to add these users in the list to the FND_USER table in 11i

Security => User => Define form in 11i

The good old way of using Security => User => Define can still be continued for provisioning users in 11i after an integration with an LDAP directory.

Procedure

Verify the user exists in OID using an ldapsearch command or by using the oidadmin tool.

Disable Applications 'SSO LDAP Synchronization profile' option

Create the user using the Security => User => Define form

Unconditional Provisioning

By enabling the 'Applications SSO Enable OID Identity Add Event' system profile, the provisioning profile will add every user account to E-Business Suite that is synchronized from MS Active Directory to OID. Exercise caution before enabling this system profile because not every employee or consultant in an organization will need an Oracle account. This can lead to a proliferation of users in the FND_USER table.

Conclusion

Sufficient thought has to be exercised before enabling the Unconditional Provisioning or the On-Demand user creation as described above. Use one of the other three options for maximum control on user provisioning.

26 comments:

Hi Srinivas, Excellent Blog. We are working with the procedures in the fnd_user_pkg. We call the createuser procedure passing in the guid which we derive from the OID. The FND account is created and no errors are raised but the user_guid field is not populated. We are sure that this procedure use to work.

We can the subsequently call the updateuser procedure, again passing the guid, and the user_guid field is updated and attributes within the OID set.

Could it be that we require a specific profile option set Oor combination of profile options)? Or is it, as Oracle support have informed me, that the createuser method doesn't touch the user_guid even though it has it defined in a public method?

I did use FND_USER package a couple of years ago. Now we create users directly via the CREATE USER form that comes in E-Business Suite. We make sure that the user we create exists in OID (we customized the create user form with a database link lookup to OID database). Using this approach we dont worry about USER_GUID.

The USER_GUID is automatically set when the user logs in for the "first time". We have set the 'Applications SSO Auto Link User' = 'Enabled'. So Oracle populates FND_USER's USER_GUID column with the same value as the corresponding record in OID.

So in short, you dont have to worry about USER_GUID even if you use the FND_USER pkg as long as you have the 'Applications SSO Auto Link User' = 'Enabled'. Infact enabling this profile option makes the life easy to end users as they have to type in their OID username/pwd just once to use Oracle Applications.

I am not sure how FND_USER package updates attributes in OID. Usually OID attributes have to be the master. So you dont have to update them at all.

I setup SSO server and OID is running and integrated with apps. I can create user in OID and user successfully moves to FND_USER table. Users can successully login to apps using SSO server.

But the problem I am facing, after deleting the user from OID, user not deleted from FND_USER table. I setup provision profile (ProvOIDToApps.tmp) while registering apps with SSO. Not sure now where to check and how to troubleshoot the user deletion from both OID and apps. I want, users should be sync between OID and apps (User creation, update and delete)

I vaguely remember working on such a test case(checking if delete in OID deletes in Oracle EBS table also). But we did not enable the automatic provisioning from OID to EBS, so we stopped worrying about this topic. We create users in EBS through a manual process (not automatic).

Now coming to your point, Is the record getting deleted in OID or just disabled in OID ? I have two suggestions for you.

1) Can you review this article that i posted .

http://www.dailydba.com/2008/11/restriction-on-automatic-user.html

The DIT structure also plays a role here.

2) There are a couple of manual ways to delete/end-date in E-Business Suite. You may not want to "delete" the row in E-Business Suite. Instead, you can just "enddate" the EBS record if the corresponding one is deleted in OID.

Please read the signature of the functions and procedures available for the DBMS_LDAP utility (You can run this from E-Business Suite database only which makes a connection to the OID server). Particular functions that may be interest to you are search_s, compare_s etc.

Is your OID a gateway to Microsoft Active Directory (AD) ? If so, you can use ldapsearch to search for orclsourceobjectdn globally in OID. If it contains the Disabled string, then find all such entries and take appropriate action in FND_USER table

You can setup periodic cronjobs for the above and this should take care of your problem.

Try to create an SR with Oracle incase you are not satisfied with the above manual workarounds

When our users login, they can authenticate via SSO, but then they're presented with a blank form.

We can see that the user's account in FND_USER has a USER_GUID value. In order to try re-linking OID and eBS, we have null'ed the USER_GUID value, but to no avail.

Currently, we have the profile value 'Application SSO LDAP Synchronization' because we were getting an error message when trying to create new eBS users that the fnd_ldap_pkg.create_user was failing with an ORA-20001.

1) What is 10.2.0.4 ? Is it the Identity Management product version you are referring to or the database version? There is only 10.1.4.x that i know of in Oracle Identity Management.

2) Now coming to the actual issue, I feel it is not a problem with the SSO itself. If you get a blank page after authentication, then it could be a problem with the R12 side of it. Have you checked the OPMN, OC4J logs ?

I'm in the midst of implementing SSO with Ebiz 11.5.10.2 Integrated with AD. All the configurations have been completed and working well.I've a requirement to check if there is any way we can avoid the responsibility(Preferences SSWA) getting assigned in AD - OID - Ebiz direction of user provisioning.

"

Raj - Good to see your post. It has been a long time i worked on SSO with Ebiz. I also noticed this "Preferences SSWA" getting defaulted when you create an user. This has nothing to do with OID provisioning. Oracle creates this default responsibility for every user you define in 11i. I don't exactly recall how you avoid this default initial responsibility. But should be easy to fix.

at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:70) at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:133) at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:206) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:455) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:413) at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1034)

Introduction Have you seen your VNC Viewer showing a black screen intermittently ? We have a fix for it. This issue has been occurrin...

Copyright and Disclaimer Notice

Copyright 2007 - 2017 DBA University, Inc. All Rights Reserved. No content of this website may be reprinted or otherwise reproduced without DBA University's permission. The posts and comments in this blog are on an "AS IS" basis without warranties. Always test your changes before pushing them to a real-time system !

Oracle is a registered trademark of Oracle Corporation and/or its affiliates .Other names may be trademarks of their respective owners.